{"id":73035,"date":"2026-07-01T15:25:39","date_gmt":"2026-07-01T23:25:39","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=73035"},"modified":"2026-07-01T15:26:17","modified_gmt":"2026-07-01T23:26:17","slug":"upcoming-change-ntlm-removal-in-git-libcurl-impact-to-azure-devops-server-customers","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/upcoming-change-ntlm-removal-in-git-libcurl-impact-to-azure-devops-server-customers\/","title":{"rendered":"Upcoming Change: NTLM Removal in Git (libcurl) \u2013 Impact to Azure DevOps Server Customers"},"content":{"rendered":"<h2>Overview<\/h2>\n<p>In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operations over HTTPS against Azure DevOps Server (on-premises) will stop working for customers who rely on NTLM authentication. This change is part of a broader industry move toward more secure authentication mechanisms.<\/p>\n<p>Many environments may be affected even if they believe they are using Kerberos. This is because Negotiate (SPNEGO) authentication can silently fall back to NTLM when Kerberos is not properly configured, leading to unintentional dependency on NTLM.<\/p>\n<p>If your environment currently depends on NTLM authentication, you will need to transition to a supported alternative before it is removed. Based on current guidance, customers should move to Kerberos authentication wherever possible and avoid continued reliance on NTLM, as it is deprecated and will not be supported going forward. While older Git client versions may temporarily continue to support NTLM, this approach is strongly discouraged due to security risks and its limited viability as a long-term solution. Moving away from NTLM also improves your organization\u2019s security posture by eliminating legacy authentication protocols, strengthens compliance alignment with modern identity standards, and ensures future readiness as platforms continue to deprecate NTLM.<\/p>\n<h2>Who Is Impacted<\/h2>\n<p>This change primarily affects Azure DevOps Server customers in the following scenarios:<\/p>\n<ul>\n<li>Environments where IIS is configured with both Negotiate and NTLM enabled, especially if NTLM remains available as a fallback.<\/li>\n<li>Environments where Kerberos is not fully configured end-to-end, including missing or incorrect SPNs, DNS aliases, load balancer configuration, or delegation requirements.<\/li>\n<li>Customers who believe they are using Kerberos but have not validated it, because SPNEGO\/Negotiate can silently fall back to NTLM.<\/li>\n<li>Clients or automation running in contexts where Kerberos cannot obtain a valid service ticket, such as non-domain-joined machines, workgroup machines, service accounts, build agents, or machines outside the corporate network without line of sight to a domain controller.<\/li>\n<li>Environments that rely on older Git clients or temporary NTLM re-enable settings to keep Azure DevOps Server Git operations working.<\/li>\n<\/ul>\n<p>These configurations may continue to work today because NTLM is available as a fallback, but they are at risk of breaking once NTLM support is removed from Git\/libcurl. Customers should validate whether Kerberos is actually being used and remediate any fallback to NTLM before September 2026.<\/p>\n<h2>What you need to do<\/h2>\n<p>To prepare for this change, we recommend the following steps:<\/p>\n<h3>1&#46; Determine if you are using NTLM<\/h3>\n<p>Customers should validate whether their Git connections are using Kerberos or NTLM. Azure DevOps Server accepts both via Windows Integrated Authentication, and &#8220;Negotiate&#8221; can silently fall back to NTLM, so a working connection doesn&#8217;t reveal which is in use. Recent Git for Windows builds disable NTLM by default, so connections that relied on it will now fail.<\/p>\n<p><strong>Recommended actions:<\/strong><\/p>\n<p>1&#46; Look for the NTLM warning<\/p>\n<ul>\n<li>If a remote Git operation shows an NTLM warning message then the connection is using NTLM<\/li>\n<\/ul>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/07\/GCM.webp\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/07\/GCM.webp\" alt=\"GCM NTLM warning message\" width=\"407\" height=\"106\" class=\"alignleft size-full wp-image-72758\" \/><\/a><\/p>\n<ul>\n<li>Likewise, if your operation fails with the following error message from Git on the terminal then you are attempting to use NTLM<\/li>\n<\/ul>\n<blockquote>\n<p>Warning: Due to its cryptographic weaknesses, NTLM authentication has been disabled in Git by default. You can re-enable it for trusted servers by running: git config set >http.http:\/\/localhost:8080.allowNTLMAuth true<\/p>\n<\/blockquote>\n<p>2&#46; Check the Kerberos ticket cache<\/p>\n<ul>\n<li>Run a remote Git operation the check for a service ticket for the server: <\/li>\n<\/ul>\n<pre><code class=\"text\">klist purg \ngit fetch \nklist\n<\/code><\/pre>\n<p>A ticket with Server: HTTP\/tfs.contoso.com confirms <strong>Kerberos<\/strong>; no such ticket means NTLM (or auth failed).<\/p>\n<p>3&#46; Inspect the HTTP trace from Git<\/p>\n<ul>\n<li>Enable request tracing and run a remote operation:<\/li>\n<\/ul>\n<pre><code class=\"text\">set GIT_TRACE_CURL=1\nset GIT_TRACE_REDACT=0\ngit fetch 2&gt; trace.txt\n<\/code><\/pre>\n<p>In the trace.txt file if you see the <code>Authorization: line NTLM TlRMT<\/code>&#8230; this means that NTLM is being used. If you see <code>Negotiate &lt;token&gt;&lt;\/token&gt;<\/code> then to confirm the token is for a Kerberos negotiation you can run this small PowerShell command to inspect the token:<\/p>\n<p><code>$token = \"paste the token from the Authorization: Negotiate line here\";\n$b=[Convert]::FromBase64String($token -replace '\\s'); if([Text.Encoding]::ASCII.GetString($b) -match  'NTLMSSP'){'NTLM'}elseif([BitConverter]::ToString($b) -match  '2A-86-48-86-F7-12-01-02-02'){'Kerberos'}else{'Unknown'}<\/code><\/p>\n<h3>2&#46; Ensure Kerberos is fully working by September 2026<\/h3>\n<p>To avoid disruption, ensure Kerberos authentication is correctly configured end-to-end.<\/p>\n<p>This includes:<\/p>\n<ul>\n<li>Proper Service Principal Names (SPNs)<\/li>\n<li>Domain controller connectivity from client machines<\/li>\n<li>Correct IIS configuration<\/li>\n<\/ul>\n<p>With recent Git improvements, Kerberos support is becoming easier to use without additional configuration.<\/p>\n<h3>3&#46; Plan for NTLM fallback removal<\/h3>\n<p>NTLM fallback, including fallback through SPNEGO\/Negotiate, will no longer be available once NTLM support is removed from Git\/libcurl. Customers should plan now to remove any dependency on NTLM and validate that Kerberos works end-to-end.<\/p>\n<p>Recommended planning guidance:<\/p>\n<ul>\n<li>Do not rely on NTLM fallback as a long-term mitigation.<\/li>\n<li>Do not plan to re-enable NTLM after removal; there will be no supported way to continue using it.<\/li>\n<li>Avoid downgrading Git to retain NTLM support, as this introduces security risk and only delays remediation.<\/li>\n<li>For workgroup-joined environments or clients where Kerberos is not feasible, evaluate SSH authentication for Git operations, if SSH is supported and enabled in the Azure DevOps Server deployment.<\/li>\n<li>Validate Kerberos now and address any configuration gaps before September 2026.<\/li>\n<\/ul>\n<p>If you have questions or need help preparing for this change, please reach out through your usual Azure DevOps support channels.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operations over HTTPS against Azure DevOps Server (on-premises) will stop working for customers who rely on NTLM authentication. This change is part of a broader industry move toward more secure authentication mechanisms. [&hellip;]<\/p>\n","protected":false},"author":1006,"featured_media":71983,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[253],"tags":[],"class_list":["post-73035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-devops-server"],"acf":[],"blog_post_summary":"<p>Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operations over HTTPS against Azure DevOps Server (on-premises) will stop working for customers who rely on NTLM authentication. This change is part of a broader industry move toward more secure authentication mechanisms. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/73035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/1006"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=73035"}],"version-history":[{"count":1,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/73035\/revisions"}],"predecessor-version":[{"id":73074,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/73035\/revisions\/73074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71983"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=73035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=73035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=73035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}